CN1298511A - Stack-based security requirements - Google Patents

Stack-based security requirements Download PDF

Info

Publication number
CN1298511A
CN1298511A CN99805488A CN99805488A CN1298511A CN 1298511 A CN1298511 A CN 1298511A CN 99805488 A CN99805488 A CN 99805488A CN 99805488 A CN99805488 A CN 99805488A CN 1298511 A CN1298511 A CN 1298511A
Authority
CN
China
Prior art keywords
requirement
security requirement
security
action
caller
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN99805488A
Other languages
Chinese (zh)
Inventor
R·谢夫勒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sun Microsystems Inc
Original Assignee
Sun Microsystems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US09/044,944 external-priority patent/US6226746B1/en
Application filed by Sun Microsystems Inc filed Critical Sun Microsystems Inc
Publication of CN1298511A publication Critical patent/CN1298511A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/42Loop networks
    • H04L12/427Loop networks with decentralised control
    • H04L12/433Loop networks with decentralised control with asynchronous transmission, e.g. token ring, register insertion
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6281Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/468Specific access rights for resources, e.g. using capability register
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/547Remote procedure calls [RPC]; Web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/133Protocols for remote procedure calls [RPC]

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)
  • Multi Processors (AREA)

Abstract

A system obtains the security requirements for an action requested by a thread executing on a computer. The thread invokes a plurality of methods during its execution. The system includes a call stack and a determination unit. The call stack stores an identifier and security requirements for each of the methods in the order that the methods were invoked by the thread. The determination unit combines the method security requirements from the call stack to obtain the security requirements for the requested action.

Description

Security requirement based on storehouse
Related application
Following U.S. Patent application is the application's a foundation, and is included in by reference in this application.
On Dec 11st, 1997 submitted to, sequence number is 08/988, No. 431 U.S. Patent application, and its denomination of invention is " to the control of resource access ".
Submitted on Dec 11st, 1997, sequence number is _ _ _ _ number U.S. Patent application, its denomination of invention is " protection domain of security is provided in computer system ".
Submitted on Dec 11st, 1997, sequence number is _ _ _ _ number U.S. Patent application, its denomination of invention is " level of security solution, loading and definition ".
Submitted on Dec 11st, 1997, sequence number be _ _ _ _ number U.S. Patent application, its denomination of invention is " classification, parameterized and extendible access control is permitted ".
Submitted on June 26th, 1997, sequence number is 08/883, No. 636 U.S. Patent application, its denomination of invention is " be used for communication channel with the irrelevant security of level ".
On February 26th, 1998 submitted to, sequence number is 60/076, No. 048 U.S. Provisional Patent Application, and its denomination of invention is " distributed computing system ".
On March 20th, 1998 submitted to, sequence number is 09/044, No. 923 U.S. Patent application, and its denomination of invention is " method and system of leasing storage ".
Submitted on March 20th, 1998, sequence number is 09/044, No. 838 U.S. Patent application, its denomination of invention is " be used to entrust confirm rent method, device and product " in distributed system.
Submitted on March 20th, 1998, sequence number is 09/044, No. 834 U.S. Patent application, its denomination of invention is " method, device and product that the membership qualification that is used to divide into groups is rented " in distributed system.
On March 20th, 1998 submitted to, sequence number is 09/044, No. 916 U.S. Patent application, and its denomination of invention is " being used for renting of failure detection ".
On March 20th, 1998 submitted to, sequence number is 09/044, No. 933 U.S. Patent application, and its denomination of invention is " method that is used for transport behavior in the system based on incident ".
On March 20th, 1998 submitted to, sequence number is 09/044, No. 919 U.S. Patent application, and its denomination of invention is " the delay reconstruct and the remote loading that are used for the object of event notice in distributed system ".
On March 20th, 1998 submitted to, sequence number is 09/044, No. 938 U.S. Patent application, and its denomination of invention is " method and apparatus that is used for remote mothod invocation ".
On March 20th, 1998 submitted to, sequence number is 09/045, No. 652 U.S. Patent application, and its denomination of invention is " being used for the method and system of deterministic hash with identify remote method ".
On March 20th, 1998 submitted to, sequence number is 09/044, No. 790 U.S. Patent application, and its denomination of invention is " method and apparatus that is used for the state of definite remote object in the decision distributed system ".
Submitted on March 20th, 1998, sequence number is 09/044, No. 930 U.S. Patent application, its denomination of invention is " being used to carry out the Downloadable intelligent agent of the processing that is associated with remote procedure call in distributed system ".
On March 20th, 1998 submitted to, sequence number is 09/044, No. 917 U.S. Patent application, and its denomination of invention is " hang-up of remote method and continuation ".
On March 20th, 1998 submitted to, sequence number is 09/044, No. 835 U.S. Patent application, and its denomination of invention is " method and system that is used for multiple entry and multi-template matching in database ".
On March 20th, 1998 submitted to, sequence number is 09/044, No. 839 U.S. Patent application, and its denomination of invention is " being used for the method and system that revise in the original place in database ".
On March 20th, 1998 submitted to, sequence number is 09/044, No. 945 a U.S. Patent application, and its denomination of invention is " method and system that is used for the type safety attributes match in database ".
On March 20th, 1998 submitted to, sequence number is 09/044, No. 931 a U.S. Patent application, and its denomination of invention is " service of dynamically searching in distributed system ".
Submitted on March 20th, 1998, sequence number is 09/044, No. 939 a U.S. Patent application, and its denomination of invention is " but being used to be provided as the equipment and the method for the download code used of communicating by letter with a device in distributed system ".
On March 20th, 1998 submitted to, sequence number is 09/044, No. 826 a U.S. Patent application, and its denomination of invention is " be convenient to visit and search service method and system ".
On March 20th, 1998 submitted to, sequence number is 09/044, No. 932 a U.S. Patent application, and its denomination of invention is " being used for the dynamically apparatus and method of authorization information in distributed system ".
On February 26th, 1998 submitted to, sequence number is 09/030, No. 840 a U.S. Patent application, and its denomination of invention is " at the method and apparatus of the enterprising action attitude of network Distribution calculation ".
On March 20th, 1998 submitted to, and sequence number is 09/044,936 U.S. Patent application, and its denomination of invention is " being used for sharing lastingly the interactive design tool of storage space ".
On March 20th, 1998 submitted to, and sequence number is 09/044,934 U.S. Patent application, and its denomination of invention is " based on the control of polymorphic token ".
On March 20th, 1998 submitted to, sequence number is 09/044,915 U.S. Patent application, and its denomination of invention is " based on the access control of storehouse ".
On March 20th, 1998 submitted to, and sequence number is 09/044,837 U.S. Patent application, and its denomination of invention is " specifying according to method of security requirement ".
Background of invention
The present invention is directed to the safety practice in the computer system, the present invention is especially at the security requirement of the whole bag of tricks being combined to the calling in the level of the thread carried out on the computing machine.
Distributed system comprises usually by many of interconnection of telecommunication network different computing machines.Often, between the computing machine of intercommunication, set up the client server relation.Generally, " client " is defined as a kind of process of calling with request resource, and described resource is positioned at or is controlled by " server " process.Under this meaning, also can be called client and server to the computing machine of carrying out request process and execution server processes.Yet these effect meetings change according to the context of information and particular procedure.
Promote that a kind of mechanism of client-server relation is remote procedure call (RPC), wherein the client enables the function of server.RPC is a kind of mechanism, and it provides the synchronous communication between two processes that work on the identical or different computing machine.Usually carry out RPC mechanism in two parts: a part is client one side, and another part is server one side.
When client computer was communicated by letter with server computer, safety was recurrent problem.Fail to carry out the work that safety can seriously hinder the computing machine of client and server.Therefore, the use a computer tissue of system is to be easy to be subjected to have a mind to or by mistake to cause the personnel of computer system maloperation or steal the personnel's of this tissue confidential information infringement.
The Systems Operator generally addresses three class safety problems: (1) prevents the intercepting and capturing and the change of message; (2) control is to the visit of server; (3) by client's authentication server.The Systems Operator solves these problem by definite level of security with traditional approach in the Object oriented programming environment, described level of security provides the method that is used to be provided with communicating requirement.Such Object oriented programming environment is SunMicrosystem TMJava TMThe Object oriented programming environment, this has description in the text that is entitled as " Java 1.1 developer's guides " of Sams.net publication in 1997, and its author is Jaworski, and the content of this guide is included in this by reference.
Level of security comprises five kinds of communicating requirements: confidentiality, integrality, anonymity, evaluation _ server and nothing _ trust.Confidentiality guarantees that message content is private.The Systems Operator uses encryption technology to guarantee only have one of correct key just now can be to decrypt messages.When integrity detection message content (ask and answer both) changes, and refusal is handled the message through changing.The Systems Operator can be by using verification to finish this detection with (checksum) waiting on client and two positions of server.
Anonymity represents that customer requirement do not sign.In other words, the client does not wish serviced device evaluation.Evaluation _ server represents that the client needed authentication server before calling remote method.Can guarantee client and correct server communication by this communicating requirement.Nothing _ trust be meant do not allow server its carry out call in entrust with client's identifier.In other words, not licensing to server calls other computer system of the client that calls oneself.
In client's position, represent level of security with single position (bit) for each communicating requirement.By the position corresponding to confidentiality, integrality, anonymity, signing _ server and nothing _ trusts is set, the client specifies respectively and will guarantee confidentiality, will guarantee integrality, and the client will keep anonymity, will identify and trust will be provided server.
Traditionally, the client is in global context or according to the preferential selection with reference to indication level of security on the basis of (per-reference).In traditional PRC system, the client wants reference server usually.Should " server is with reference to (server reference) " generally comprise the network informations such as network address such as server host; Such as the protocol informations such as which port that are connected to main frame; And be used to discern the object identifier that will become the server object that calls theme.Therefore, " according to reference " is meant under the occasion of server reference communicating requirement is set, thereby use these communicating requirements by any calling of being done with this server reference.
If the client is provided with communicating requirement on certain global context during carrying out a method, back one method can topped these communicating requirements so, this can perhaps realize by on the basis according to reference communicating requirement being set by rewriteeing global context by back one method.Even the client during carrying out a method according to reference communicating requirement is set basically, back one method still can by identical server with reference on rewrite these communicating requirements and rewrite these communicating requirements.
For example, suppose that the client enables first method, first method is enabled second method then, and the server reference is passed to second method.Suppose second method with this server with reference on remote server, carrying out function X.First method of also supposing has the communicating requirement of confidentiality and integrity, and before reference content is passed to second method, and these requirements are arranged on global context or server with reference to last.It is last to suppose that again second method is overwritten in the reference that passes to it with communicating requirement, uses the communicating requirement of an authentication server to replace original communicating requirement.In traditional system, the communicating requirement of second method has been replaced the communicating requirement of first method, so calling an authentication server server.As a result, can not guarantee the desired confidentiality and integrity of first method.
Traditional level of security is preferably specified the individual communication requirement that can't guarantee to follow each method that comprises in calling level.Therefore, the security requirement of wishing to improve in the communication system is specified.
Summary of the invention
The system and method that meets the principle of the invention has solved these needs by the communicating requirement of each method being incorporated in call in the level.That is to say, merge the individual communication requirement of each method, with the strictest communicating requirement group that obtains to be fit to call.
A kind of system that meets the principle of the invention can obtain the security requirement at the desired action of carrying out on the computing machine of a certain thread.The term of execution, a plurality of methods of this thread dispatching.System comprises an allocating stack and a determining unit.Allocating stack is according to the order of thread dispatching method, for each method is stored an identifier and security requirement.Determining unit combination is from the method security requirement of allocating stack, is used to the security requirement that is requested to move to obtain.
Summary of drawings
The accompanying drawing that comprises in this manual and constitute an instructions part shows one embodiment of the present of invention, and drawing and description have illustrated purpose of the present invention, advantage and principle together.In these accompanying drawings:
Fig. 1 is the computer network figure that meets the principle of the invention;
Fig. 2 is the figure of Fig. 1 computing machine in meeting an embodiment of the principle of the invention;
Fig. 3 is the figure of the allocating stack that is associated with a thread on the computing machine among Fig. 2;
Fig. 4 is a process flow diagram, shows the performed processing of collection security requirement method of Fig. 3 in meeting an embodiment of the principle of the invention; And
Fig. 5 is a process flow diagram, shows other embodiment according to the invention, and they are used for determining the security requirement relevant with a certain action.
Describe in detail
Following detailed description of the present invention is with reference to accompanying drawing.Identical label in different figure is represented same or analogous unit.Also have, following detailed does not limit the present invention.Scope of the present invention is limited by appending claims and equivalent thereof.
The system and method that meets the principle of the invention merges each routine in the thread, and (that is) communicating requirement, function, method, wherein said thread request is done an action of visit to resource.When detecting this action of request, according to the communicating requirement that call in level each routine relevant, with decision of communicating requirement structure of this action with thread.Call level indication by certain thread or with the name of this thread call but also not have the routine exported.
The general introduction of distributed system
Method and system according to the invention with in having the various parts distributed system of (comprising hardware and software), work.Illustrative distributed system (1) allows system user having share service and resource on the network of many devices; (2) for providing, the programming personnel allows to develop instrument and programming mode sane and distributed system safety; And the task of (3) streamlining management distributed system.In order to finish these targets, illustrative distributed system is used the JavaTM programmed environment, allows code and data to move between device in seamless mode.Therefore, illustrative distributed system is placed on the top layer aspect of Java programmed environment, and this distributed system uses the characteristic of this environment, the security that provides by it and very strong type definition ability are provided.Be entitled as " Java 1.1 developer's guides " of Sams.net publication in 1997 have done clearer description to this Java programmed environment, and its author is Jaworski.
In illustrative distributed system, different computing machines and device join together as individual system appear at the user in face of.Owing to occur, so illustrative distributed system provides simple visit, and the individual system shared ability that can provide, and do not lose the dirigibility and the individualized response of personal computer or workstation as individual system.Illustrative distributed system can comprise thousands of devices, user's operation that they are disperseed by the geographic position, but these users agree to entrust, the basic opinion of management and policy.
The various logic grouping of service is arranged in illustrative distributed system, and wherein serving by one or more devices provides, and each logic groups is called " Djinn "." service " be meant user, program, device or another service can accessed resources, data and function, and described resource, data and function be that can calculate, that storage is relevant, communicate by letter relevant, perhaps with to visit another user relevant.The example of the service that provides as a Djinn part comprises such as devices such as printer, display, discs; Such as softwares such as application program, utility routines; Such as information such as database and documents; And the user of system.
User and device can be participated in Djinn.When adding Djinn, user or device increase by zero or multinomial service to Djinn, and can serve in any one that is subjected to visit under the situation of security constraint it comprised.Therefore, device and user are unified into a Djinn, its service of common access.In programming, the service of Djinn occurs as the object of Java programmed environment, wherein the Java programmed environment software section that can comprise other object, write with different programming languages, perhaps hardware unit.A service has an interface, be used for definition this served demandable operation, and the type decided of service constitute the interface of this service.
Fig. 1 illustration distributed system 1000, it comprises by network 1400 and connects computing machine 1100, the computing machine 1200 of interconnection and install 1300. Computing machine 1100 and 1200 can comprise any traditional computing machine, such as the IBM compatible, or even " making mute " (dumb) terminal.In typical operating period, computing machine 110 and 1200 can be set up the client server relation, so that send and obtain data.
Device 1300 can be any in many devices, such as printer, facsimile recorder, memory storage, computing machine or other device.Network 1400 is LAN (Local Area Network), wide area network or internet.Although when constituting illustrative distributed system 1000, only show two computing machines and a device, it will be understood by those skilled in the art that illustrative distributed system 100 can comprise other computing machine or device.
Fig. 2 illustrates in greater detail computing machine 1100, has shown many software sections of illustration distributed system 1100.It will be understood by those skilled in the art that computing machine 1200 or install 1300 and can construct with similar mode.Computing machine 1100 comprises storer 2100, auxilary unit 2200, central processing unit (CPU) 2300, input media 2400 and video display 2500.Storer 2100 comprises inquiry service 2110, finds server 2120 and Java TMRuntime system 2130.Java runtime system 2130 comprises Java TM(RMI) 2140 of remote method invocation (RMI) system and Java TMVirtual machine (JVM) 2150.Auxilary unit 2200 comprises Java TMSpace 2210.
As mentioned above, illustrative distributed system 1000 is based on the Java programmed environment, so it uses java runtime system 2130.Java runtime system 2130 comprises Java TMApplication programming interface (API), the permission program so that visit various systemic-functions by the mode that is independent of platform, comprises the window function and the networked ability of master operating system in the top layer operation of java runtime system.Because Java API is for providing single public API with all operations system of having transplanted java runtime system 2130, described program in the top layer operation of java runtime system is moved in the mode that is independent of platform, needn't consider the operating system or the hardware configuration of main platform.Java runtime system 2130 is as Java TMThe part of software development kit provides, and Java TMSoftware development kit can be bought to the Sun Microsystems in Mountain View city, California.
JVM 2150 has also promoted platform independent.JVM 2150 resembles and works the abstract machine, and the form that it presses syllabified code receives the instruction from each program, and explains these syllabified codes by dynamically syllabified code being converted to such as execute forms such as object codes, carries out then.RMI 2140 makes things convenient for remote method invocation (RMI) by allowing the method for certain object on another computing machine of object reference carried out on a computing machine or the device or device.RMI can be positioned at JVM, and RMI and JVM both provide as the part of Java software development kit.
Inquiry service 2110 has defined the operable service of a specific Djinn.That is to say, can have a more than Djinn, therefore in the illustrative distributed system 1000 a more than inquiry service is arranged.For each service in the Djinn, inquiry service 2110 comprises an object, and each object comprises various methods of being convenient to visit respective service.Inquiry service 2110 and visit thereof have more detailed description in No. the 09/044th, 826, the U.S. Patent application that awaits the reply jointly, the name of this patented claim is called " be convenient to visit and search service method and system ", before comprises in this application by reference.
In the process that is called guiding and adding or finds, find when server 2120 detections are added to new device in the illustrative distributed system 1000, and when detecting new device, find that server sends quoting of an inquiry service 2110 to new device, thereby new equipment can be registered its service to inquiry service, and becomes a member of Djinn.After registration, new equipment becomes a member of Djinn, and it can access queries serve all services that comprise in 2110.The U.S. Patent application the 09/044th that guiding and the process of participating in are awaiting the reply jointly, in No. 939 more detailed description is arranged, the denomination of invention of this patented claim before had been included in this by reference for " but being used to be provided as the equipment and the method for the download code used of communicating by letter with a device in distributed system ".
Java space 2210 is object resources banks that each program is used in the illustration distributed system 1000, is used for storage object.All programs are used Java space 2210 storage object enduringly, and these objects can be visited by other device in the illustration distributed system.There is more detailed description in the Java space in No. the 08/971st, 529, the U.S. Patent application that awaits the reply jointly.The denomination of invention of this patented claim has transferred common assignee for " using the Database Systems of polymorphic inlet and inlet coupling ", and its applying date is on November 17th, 1997, and its content is included in this by reference.It will be understood by those skilled in the art that illustrative distributed system 1000 can comprise many inquiry services, find server and Java space.
Allocating stack for example
In typical operating period, such as computing machine 1100 execution threads such as client computer such as grade (or process), these threads are visited such as computing machine among Fig. 1 1200 or are installed resource on the servers such as 1300 by calling.RMI 2140 (Fig. 2) determines the communicating requirement relevant with thread dispatching.According to an embodiment according to the invention, the routine of routine (for example, method, function) that communicating requirement is being carried out according to present thread and the routine of having enabled present execution and changing.The calling in proper order of routine that causes carrying out at present in the execution thread is reflected in the allocating stack of this thread.
Fig. 3 illustration the allocating stack of thread.With reference to illustrative allocating stack, so that the operating process of explanation release mechanism, the operating process of wherein said release mechanism can guarantee to satisfy the communicating requirement of all programs that constitute thread in calling.
Fig. 3 is a block scheme, it comprises the allocating stack 3100 relevant with thread 3200, wherein the method 3210 of object 3310 is called the method 3220 of another object 3320, method 3220 is called the method 3230 of another object 3330, and the collection communication that method 3230 is called safety governor object 3340 requires method 3240.
Thread 3200 is threads of carrying out on computing machine 1100.Allocating stack 3100 is stack data structures, and its expression thread 3200 is enabled the hierarchical structure of calling of method under any given situation.Under situation shown in Figure 3, the frame that allocating stack 3100 uses when comprising the each manner of execution of still unclosed thread.
Each frame 3110-3140 is corresponding to being called by thread 3200 but also there is not the method that finishes.The relative position of each frame on allocating stack 3100 reflected the call sequence corresponding to the method for these frames.When a method finishes, from allocating stack 3100, remove the frame corresponding with method.When calling a method, will be added in the top layer of allocating stack 3100 corresponding to the frame of this method.
Each frame has comprised the information with corresponding method of this frame and object.By this information, be " getting class " method that each object provides by enabling by JVM 2150, can determine the class of method.The information that comprises in the frame has also comprised the communicating requirement to correlation method.
For example, suppose thread 3200 call methods 3210.When manner of execution 3210, thread 3200 is enabled method 3220; When manner of execution 3220, thread 3200 is enabled method 3230; And when manner of execution 3230, thread 3200 is enabled method 3240.At this moment, as shown in Figure 3, allocating stack 3100 has been represented the level that calls of all methods.Frame 3140 is corresponding to method 3240, and frame 3130 is corresponding to method 3230, and frame 3120 is corresponding to method 3220, and frame 3110 is corresponding to method 3210.When thread 3200 Method Of Accomplishments 3240, from allocating stack 3100, remove frame 3140.
Each method on the allocating stack all comprises a group communication requirement.Following example code has illustrated a technology that communicating requirement is set for method.Although example code may be similar to the Java programming language that Sun Microsystems incorporated company uses, and should example only be illustrative, do not represent actual code to use.
try  {     Security. beginRequired (the requirements);       [code to which the requirement apply]}   finally  {    Security.endScope();}
Because communicating requirement is relevant with specific method, so certain mechanism must be provided, in order to determine the communicating requirement of thread, wherein the allocating stack of thread comprises the relevant frame of a plurality of and a plurality of methods.According to an embodiment according to the invention, this decision is finished by the safety governor object.
Safety governor for example
According to an embodiment according to the invention, safety governor object 3340 is determined the relevant communicating requirement of a specific action with thread 3200 requests.Specifically, preceding in execution one action (such as invoking server), RMI 2140 enables the collection security requirement method 3240 of safety governor object 3340.This collects the relevant communicating requirement of each frame on 3240 combinations of security requirement method and the allocating stack 3100.Method 3240 these communicating requirements of combination are so that be that requested action obtains the strictest requirement.Method 3240 can be carried out combination operation by any traditional method.
If call any one method request confidentiality, integrality or authentication server in the level, method 3240 will be specified confidentiality, integrality or authentication server for this action divides so.If a method request anonymity, method 3240 will be specified anonymity for this action so, outmatch the indication of any non-anonymity.If there is a method refusal to allow to entrust, method 3240 can not specified any trust for this action so, and this outmatches any mandate to entrusting.
For moving definite security requirement
Fig. 4 is a process flow diagram, shows to collect the performed processing of security requirement method 3240.Suppose that thread 3200 is just in manner of execution 3230 when thread 3200 requests one action.Hypothesis is when thread 3200 is enabled method 3240 again, and thread 3200 has been enabled method 3210, method 3220 and method 3230, but does not also finish these methods.Communicating requirement relevant with thread 3200 during with request action is stored among the frame 3110-3130.
Method 3240 is at first discerned all methods, i.e. method 3210-3230, and the framing bit that these methods have is in allocating stack 3100 [step 4110].Method 3240 is checked relevant with method 3210-3230 respectively frame 3110-3130, so that the communicating requirement [step 4120] that each method of determining is asked.By making up the communicating requirement of these methods, determine security requirement [step 4130] at this action.As mentioned above, when method 3240 combined communications required, it replaced lower requirement with higher requirement.RMI 2140 carries out the action of the security requirement that the method that is attached to 3240 determines.
If this action is to call, in order to enable a remote method on the server, for example RMI 2140 obtains the security requirement of server.RMI 2140 is by obtaining the security requirement of server from the local copy in the server security rank storehouse that comprises requirement.The security requirement of RMI 2140 usefulness servers determines whether remote method supports the security requirement of being determined by method 3240.If remote method is not supported security requirement, RMI 2140 should fact notice thread 3200 so.RMI 2140 can accomplish this point unusually by dishing out.
If remote method is supported security requirement, RMI 2140 determines that communication protocols are operable so, selects the security requirement of a security requirement of satisfying to be determined by method 3240 and server to carry out the agreement of minimum combination then.When RMI 2140 found a communication protocol, RMI 2140 and service negotiation so that call with this agreement, brought into use agreement to call then.
For moving other embodiment that determines security requirement
Fig. 5 is a process flow diagram, shows other embodiment according to the invention, is used for determining the security requirement relevant with action.With reference to Fig. 4, make up the communicating requirement [step 5110] of all methods with aforesaid way with allocating stack frame.In another embodiment according to the invention, will have the communicating requirement combination that is provided with in the communicating requirement of all methods of allocating stack frame and the global context so that obtain one group of combination, at the communicating requirement [step 5120] of this action.When combined communication required, higher communicating requirement had been replaced lower communicating requirement.
In another embodiment, will have the communicating requirement and the communicating requirement combination that will carry out the server that moves of all methods of allocating stack frame, so that obtain communicating requirement [step 5130] at this action.Again, when combined communication required, higher communicating requirement had been replaced lower communicating requirement.
In another embodiment, will through the combination the communicating requirement group (promptly, communicating requirement and the communicating requirement that is arranged on the global context with all methods of allocating stack frame) make up with the communicating requirement that will carry out the server that moves, so that acquisition is at the communicating requirement [step 5130] of this action.When combined communication required, higher communicating requirement had been replaced lower communicating requirement.
Conclusion
The system and method that meets the principle of the invention by combination with call level in the relevant security requirement of each method, come definite with move relevant security requirement.
More than the description of preferred embodiment of the present invention is provided explanation and has described, but do not plan to be exhaustive or to limit the invention to the clear and definite form that is disclosed.Various variations and change be can carry out according to above-mentioned principle, perhaps can these variations and change be obtained by the invention practice.Scope of the present invention is limited by claims and equivalent thereof.
Although system and method according to the invention is described as be under illustrative distributed system and the Java programmed environment works, it will be understood by those skilled in the art that the present invention can carry out in other system and other programmed environment.In addition, be stored in the storer although aspects more of the present invention (aspect) are described as, but it will be understood by those skilled in the art that these aspects can also be stored on the computer-readable medium of other type, perhaps read from the computer-readable media of other type.The computer-readable media of other type for example can be an auxilary unit, as hard disk, software or CD-ROM; Carrier wave from the internet; The perhaps RAM of other form or ROM.Sun, Sun Microsystems, Sun logo, Java and be that Sun Microsystems incorporated company is in the U.S. and other national trade mark or registered trademark based on the trade mark of Java.

Claims (17)

1. system that obtains the security requirement of moving, wherein said action is that the caller of carrying out on the computing machine is asked, described caller the term of execution enable in a plurality of methods one at least, it is characterized in that described system comprises:
Allocating stack, the expression of the order storage means that it is enabled according to caller, and store the security requirement of at least one method; With
Determine device, its combination is from the method security requirement of allocating stack, so that the security requirement that acquisition is requested to move.
2. the system as claimed in claim 1 is characterized in that, allocating stack is only stored the expression and the security requirement of the method that is activated at present.
3. the system as claimed in claim 1 is characterized in that, described method security requirement comprises the confidentiality requirement, and by this requirement, caller can be guaranteed to maintain secrecy in communication period.
4. the system as claimed in claim 1 is characterized in that, described method security requirement comprises the integrality requirement, and by this requirement, caller can be guaranteed to communicate by letter constant during transmitting.
5. the system as claimed in claim 1 is characterized in that, described method security requirement comprises anonymous requirement, and by this requirement, caller can keep anonymous in being requested action.
6. the system as claimed in claim 1 is characterized in that, described method security requirement comprises server evaluation requirement, and by this requirement, caller request one device is identified itself.
7. the system as claimed in claim 1 is characterized in that, described method security requirement comprises the trust requirement, and by this requirement, caller mandate one device is entrusted with the identity of caller.
8. the system as claimed in claim 1 is characterized in that, described definite device comprises:
Composite set is used to make up the method security requirement from allocating stack, replaces lower method security requirement with higher method security requirement.
9. the system as claimed in claim 1 is characterized in that, caller is a thread of carrying out on computers.
10. the system as claimed in claim 1 is characterized in that, caller is a program of carrying out on computers.
11. a system that obtains the security requirement of moving, wherein said action is that certain thread of carrying out on the computing machine is asked, described thread the term of execution enable in a plurality of methods one at least, it is characterized in that described system comprises:
The method identifier of at least one method and the device of security requirement when being used to store thread and enabling;
Be used to make up the device of the method security requirement of depositing; With
Be used for obtaining to be requested the device of the security requirement of moving from method security requirement through combination.
12. method with computer-implemented, as to be used for determining action security requirement, wherein said action is that an operation of carrying out on the computing machine is asked, at least enable in a plurality of functions term of execution of described operating in, it is characterized in that, said method comprising the steps of:
The function identifier of at least one function and security requirement when storage is enabled by operation;
Receive the request of operation to described action;
Make up stored functional safety requirement; With
By the security requirement of determining through the functional safety requirement of combination to be requested to move.
13. computer-readable media, it comprises and is used for the instruction that control computer is carried out an action, and wherein said action is asked by an operation of carrying out on the computing machine, calls a plurality of functions term of execution of described operating in, it is characterized in that, said method comprising the steps of:
The function identifier of at least one function and security requirement when storage is enabled by operation;
Receive the request of operation to described action;
Make up stored functional safety requirement;
By the security requirement of determining through the functional safety requirement of combination to be requested to move; With
Carry out requested action with the security requirement of determining.
14. a data handling system is characterized in that, comprising:
Storer, it comprises:
Program, this program the term of execution enable a plurality of methods,
Allocating stack, the method identifier when its stored programme is enabled, and the security requirement of asking of each method and
Runtime environment, it receives the action request from program, the method security requirement of all methods is combined in the allocating stack, according to determining the security requirement that is requested to move, and carries out requested action with definite security requirement through the method security requirement of combination; And processor, be used to carry out runtime environment and program.
15. in computer system, carry out a method of operating for one kind, it is characterized in that, said method comprising the steps of:
Receive the request of an executable operations by second caller there from first caller, first and second callers have security requirement separately; With
Determine whether that this operation is carried out in both security requirements according to first and second callers.
16. method as claimed in claim 15 is characterized in that, described determining step comprises following substep:
Make up the security requirement of first and second callers, replace lower requirement in the security requirement with higher requirement in the security requirement.
17. method as claimed in claim 15 is characterized in that, described operation is the far call to the server with security requirement, and described method is further comprising the steps of:
When both security requirement of first and second callers is supported in the security requirement of server, executable operations; And
When both security requirement of first and second callers is not supported in the security requirement of server, the refusal executable operations.
CN99805488A 1998-02-26 1999-02-18 Stack-based security requirements Pending CN1298511A (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US7604898P 1998-02-26 1998-02-26
US60/076,048 1998-02-26
US09/044,944 US6226746B1 (en) 1998-03-20 1998-03-20 Stack-based system and method to combine security requirements of methods
US09/044,944 1998-03-20

Publications (1)

Publication Number Publication Date
CN1298511A true CN1298511A (en) 2001-06-06

Family

ID=26722193

Family Applications (1)

Application Number Title Priority Date Filing Date
CN99805488A Pending CN1298511A (en) 1998-02-26 1999-02-18 Stack-based security requirements

Country Status (6)

Country Link
EP (1) EP1057110A2 (en)
JP (1) JP2002505477A (en)
KR (1) KR20010040981A (en)
CN (1) CN1298511A (en)
AU (1) AU2686699A (en)
WO (1) WO1999044138A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100437479C (en) * 2004-04-30 2008-11-26 微软公司 Special-use heaps
CN102867152A (en) * 2011-06-14 2013-01-09 国际商业机器公司 System and method to protect a resource using an active avatar

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100560166B1 (en) * 2001-12-05 2006-03-13 한국전자통신연구원 Method for detecting hacking of realtime buffer overflow
JP4062441B2 (en) 2003-07-18 2008-03-19 日本電気株式会社 Parallel processing system and parallel processing program
JP4844102B2 (en) * 2005-11-30 2011-12-28 富士ゼロックス株式会社 Subprogram and information processing apparatus for executing the subprogram
KR100949949B1 (en) * 2008-02-28 2010-03-30 주식회사 안철수연구소 Method and Apparatus for prevention an debugging using call stack

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ES2206461T3 (en) * 1993-07-16 2004-05-16 Siemens Aktiengesellschaft PROCEDURE FOR THE COORDINATION OF PARALLEL ACCESSES OF VARIOUS PROCESSORS TO RESOURCE CONFIGURATIONS.
AU3727097A (en) * 1996-07-25 1998-02-20 Tradewave Corporation Method and system for generalized protocol implementation on client/server communications connections

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100437479C (en) * 2004-04-30 2008-11-26 微软公司 Special-use heaps
CN102867152A (en) * 2011-06-14 2013-01-09 国际商业机器公司 System and method to protect a resource using an active avatar
CN102867152B (en) * 2011-06-14 2016-06-01 国际商业机器公司 Use the system and method for initiatively incarnation reserved resource

Also Published As

Publication number Publication date
WO1999044138A3 (en) 1999-11-04
KR20010040981A (en) 2001-05-15
WO1999044138A2 (en) 1999-09-02
AU2686699A (en) 1999-09-15
JP2002505477A (en) 2002-02-19
EP1057110A2 (en) 2000-12-06

Similar Documents

Publication Publication Date Title
CN1292116A (en) Per-method designation of security requirements
CN1308824C (en) Method and system for execution of request in managing computing environment
US6226746B1 (en) Stack-based system and method to combine security requirements of methods
KR100324504B1 (en) Handling processor-intensive operations in a data processing system
Champine et al. Project athena as a distributed computer system
US5758069A (en) Electronic licensing system
US7779034B2 (en) Method and system for accessing a remote file in a directory structure associated with an application program executing locally
AU779145B2 (en) Entitlement management and access control system
US8131825B2 (en) Method and a system for responding locally to requests for file metadata associated with files stored remotely
US6668327B1 (en) Distributed authentication mechanisms for handling diverse authentication systems in an enterprise computer system
EP2511821B1 (en) Method and system for accessing a file in a directory structure associated with an application
US6584495B1 (en) Unshared scratch space
CN1298512A (en) Stack-based access control
US20070083620A1 (en) Methods for selecting between a predetermined number of execution methods for an application program
US20070083610A1 (en) Method and a system for accessing a plurality of files comprising an application program
CN1292117A (en) Method and apparatus for transporting behavior in event-based distributed system
CN1298513A (en) Methods and apparatus for remote mothod invocation
CN1298514A (en) Method and system for deterministic hashes to identify remote method
CN1298503A (en) Dynamic lookup service in a distributed system
JPH096661A (en) Device and method for managing system resource
CN1292192A (en) Polymorphic token based control
US7849055B2 (en) Method and system for limiting instances of a client-server program within a restricted distributed network
AU2003293360A1 (en) System and method for managing resource sharing between computer nodes of a network
CN1298511A (en) Stack-based security requirements
CN1298508A (en) Downloadable smart proxies for performing processing associated with a remote procedure call in a distributed system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C01 Deemed withdrawal of patent application (patent law 1993)
WD01 Invention patent application deemed withdrawn after publication